Description

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Remediation

References

CVE-2021-23358

Related Vulnerabilities

Atlassian Jira Incorrect Behavior Order: Validate Before Canonicalize Vulnerability (CVE-2022-26137)

WordPress Plugin Comment Highlighter SQL Injection (0.13)

WordPress Plugin Flo Forms-Easy Drag & Drop Form Builder Multiple Vulnerabilities (1.0.35)

WordPress Plugin WP-RecentComments SQL Injection (2.0.7)

MySQL CVE-2013-5882 Vulnerability (CVE-2013-5882)

Severity

High

Classification

CVE-2021-23358 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities